Where do you start with data security? Malicious data breaches are increasing both in frequency and impact. In the past year, we have seen attacks damage reputations and, sometimes, affect the financial stability of the largest organisations – from Marks & Spencer and Co-Op to Rolls-Royce. And smaller firms are just as likely to be attacked and are often more vulnerable.
Or you may be concerned about increased risks created by changing working patterns, cloud storage, escalating remote logins, and rapid AI developments (used by employees and hackers). Evolving legislation in multiple jurisdictions is adding another layer to compliance and assurance.
Meanwhile, the pace of change is so rapid that even if you felt fully on top of data security rules and threats a few years ago, the expertise you had then is now out of date.
Time for a refresh? If so, the Chartered IIA has redesigned its course “Data security, governance and UK data protection assurance in the modern digital workplace”.
A single day attending this will provide you with an overview of the latest data legislation, an update on current and emerging data security threats, practical techniques for assessing your data control environment and data maturity, and the technical, behavioural, and process controls you could introduce to mitigate risks.
Attendees will also leave with suggested IT and governance frameworks and best practice approaches so they can hit the ground running back in the office.
“This is one of those topics that is relevant across the board,” explains Dr Stephen Hill, the course leader.
“Data security is everyone’s responsibility. Someone (usually on the senior leadership team) should be the ‘voice’ of data security across the whole organisation. Internal auditors should look for compliance with data rules, including GDPR and the Data (Use and Access) Act. They must identify who is responsible for data security and check that they understand what is required. They should assess data security culture and provide assurance to the board.”
While internal audit leaders may need to update their knowledge of data rules and emerging threats, those carrying out related audits need to understand what is best practice and what constitutes meaningful assurance. Outside the internal audit team, managers responsible for governance, data use, and data systems may also find the course useful.
“Organisations are realising that data security is not about ticking compliance boxes,” Hill explains. “Data, even in smaller firms, is no longer seen as insignificant. It is critical to operations and to organisations’ reputations. If an attacker steals your data or prevents you from accessing it, it can finish your business.”
No organisation can operate entirely offline, so every business could be (and should prepare to be) attacked. It’s big money.
“Data is now the biggest asset of an organisation. Without it, it’s game over,” Hill says.
Medical data has now overtaken financial data in value, he adds – and every organisation with employees holds medical data. Protecting this is part of the employer’s duty of care to its people.
A key issue for internal audit is company culture and awareness of data risk. “Do your people understand that if they go to an airport and access the internet using free wifi, or charge their computer at a public USB port, they are exposing your systems to risk?” Hill asks.
Internal audit should be checking the organisation’s security measures, and how quickly they will be alerted to a breach. But they should also look at whether staff are trained and know what to do if they spot a problem or see someone circumventing the rules.
All staff should understand that there will be penalties for negligence or rule-breaking, and the message should be communicated and demonstrated from the top. AI is making attacks more convincing, but it is also providing solutions. Employees need to know this – what should they watch out for, and how are their own systems monitored by AI?
“For many years, there’s been a separation between IT governance and corporate governance, but these must be closely aligned and embedded,” Hill warns. “These are fundamental and should also align with risk management.”
“When something goes wrong, the Information Commissioner’s Office (ICO) will look at whether you did everything you could to prevent problems and put in place controls. Whether you reported a breach quickly and responded effectively,” he says.
While a breach may be unavoidable, your organisation will be judged by its response. Do you have Cyber Essentials accreditation? Can you demonstrate that your controls are understood and adequate? Do you keep up with the changes to risks and mitigations? Attending this course could itself be used to demonstrate that you were up to date and well informed.
“Tomorrow will not be the same as today – are you prepared?” Hill asks.
The next “Data security, governance and UK data protection assurance in the modern digital workplace” course takes place on 13 May.